Info guardian to investigate call centre data leaks

The Information Commissioner is launching an investigation into outsourced data centres after a television programme exposed security breaches at Indian call centres.

Channel 4's Dispatches was offered individuals' banking details for as little as £8 by criminal networks in India.

The Information Commissioner's Office (ICO) will investigate the practices of the mobile phone companies whose call centres were allegedly the source of the information. The investigation starts immediately.

"It appears that some mobile phone companies' call centres in India are being targeted by criminals intent on unlawfully obtaining UK citizens' financial records and this will be the focus of our investigation," said David Smith, deputy information commissioner.

"We are concerned by any breaches of security particularly if they involve confidential banking details. We provide clear guidance to organisations that outsource overseas to help them ensure people's personal information is secure and is processed in line with data protection principles."

The ICO could prevent some companies sending their data outside the UK for processing, forcing them to carry out back office functions in the UK. "Depending on the outcome of our investigation we will consider whether we need to use our formal enforcement powers to prevent incidents like this happening again in the future," said Smith. "Ultimately, this could include ordering a company to stop processing personal information outside the UK."

The Dispatches programme showed one man who claimed to be prepared to sell the credit card details of 200,000 people to the programme's reporter. Another claimed to be able to sell the mobile phone details of 8,000 people to the programme. Some of the information was available for as little as £8 per person.

UK organisations are responsible for the security of their customer information. If they use an outsourced call centre, whether in the UK or India, the Data Protection Act requires them to ensure that adequate security is in place.

Smith said companies which outsource their data processing or any back office functions are entirely responsible for that data and its security. It is not permissible, he said, for a company to simply pass blame on to a contractor.

"UK organisations are responsible for the security of their customer information. If they use an outsourced call centre whether in the UK or India, the Data Protection Act requires them to ensure that adequate security is in place in the call centre," he said.

Employee fraud is increasingly a problem for all companies. Fraud consultancy BDO Stoy Hayward reported earlier this year that employee fraud levels had almost tripled between 2003 and 2005 to almost £1bn in the UK. Financial services companies were the hardest hit, the report said.

Smith said the problem was by no means solely an Indian one. "This issue – where people sell on personal information for a price – is not confined to India," he said. "As our report "What Price Privacy?" shows, it happens in the UK and it is a criminal offence. Where we find evidence of breaches of the Data Protection Act we do have powers to take formal action and we do bring prosecutions."